[Dshield] PDF Spam Wave
dshieldlists at versateam.com
Fri Aug 3 23:15:37 GMT 2007
> I've read the diaries, so I do know others are seeing PDF spam. What I'd like
> to see is if it's also spoofing your domains/hosts. Let me explain.
> On Aug. 1st about midnight, a massive influx of mail started such that I never
> saw. Mailservers from all over, places I never heard of, started trying to
> deliver...something. These connections were about 2-3 per second, then after
> about 6-7 hours slowed to 2-3 per minute. They all had "bounces" for a host on
> the intranet. Only thing was, no one there ever sent any mail! They looked
> like so:
I'm sorry, but what is your point again? This sort of thing has been
going on for years -- the spoofed "from" address, the mail servers
accepting the mail (instead of rejecting it) even though the addressees
are bad, and after they have accepted the mail, they have to send it
back -- and the only place they can send it to is the "from" address.
It's not just the PDF attachment -- or the zip attachment, or any other
specific class of UCE.
The solution is for those who are running mail servers to reject (5xx
code, in SMTP terms) if the address is bad, rather than accept and then
send a bounce message. If the mail is rejected, the actual sender gets
the message; if the mail is accepted then bounced, the spoofed "from"
gets the message. Since this means the accepting server is contributing
to the distribution of spam (even if it is in the bounce message) it
needs to be considered a misconfiguration.
Those who have to put up with this spam blowback can't do much except
remind those whose SMTP is doing it that there is a better way --
reject, don't accept-then-bounce.
More information about the list